CN106060043A - Abnormal flow detection method and device - Google Patents
Abnormal flow detection method and device Download PDFInfo
- Publication number
- CN106060043A CN106060043A CN201610373443.4A CN201610373443A CN106060043A CN 106060043 A CN106060043 A CN 106060043A CN 201610373443 A CN201610373443 A CN 201610373443A CN 106060043 A CN106060043 A CN 106060043A
- Authority
- CN
- China
- Prior art keywords
- data
- grader
- marked
- attack
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses an abnormal flow detection method and device, and relates to the network technology field. The data marked as normal and the data marked as abnormal in the training data in advance are used for training to obtain a first classifier configured to distinguish the normal flow data and the abnormal flow data; and the data marked as concrete attack in the training data is employed to perform training to obtain a second classifier for distinguishing various concrete attacks. The method comprises: obtaining the target data corresponding the flow to be detected; classifying the target data by using the first classifier, and obtaining a first classification result; determining whether the first classification result is abnormal or not; if the first classification result is abnormal, employing the second classifier to classify the target data, and obtaining a second classification result; and determining the concrete attack according to the flow to be detected according to the second classification result. According to the embodiment of the invention, the detection precision of the abnormal flow is improved.
Description
Technical field
The present invention relates to networking technology area, particularly to detection method and the device of a kind of abnormal flow.
Background technology
Along with the high speed development of computer network, the menace behavior attacking computer network also gets more and more, and these
The harm that behavior is caused is the most unpredictable.Accordingly, it would be desirable to find the Network Intrusion behavior of computer network in time.
Network traffics are the equipment connecting network produced data traffic on network.Network intrusions aggressive behavior is often accompanied
Along with the change of network traffics, network security problem the most directly shows the most all in the change of network traffics.Invasion is attacked
The network traffics hitting irregular change produced by behavior are referred to as abnormal flow, then, to the detection of abnormal flow in time
Find network intrusions aggressive behavior important in inhibiting.
At present, the detection method of abnormal flow is mainly: in advance training data corresponding for flow is labeled as normal stream
Amount data and various abnormal flow data, utilize data mining algorithm to be trained the training data after labelling, obtain for
Distinguish normal discharge data and a grader of various abnormal flow data, utilize the grader obtained that test data are carried out
Classification, classification results is the testing result of abnormal flow.
But, above-mentioned training data generally uses the data on flows in a certain certain database.Big along with network traffics
Amount produces, and in this data base, data on flows also can change therewith, in turn results in normal discharge data in training data and various
Quantity difference between abnormal flow data is increasing, carries out the essence detected hence with the detection method of above-mentioned abnormal flow
Spend relatively low.
Summary of the invention
The purpose of the embodiment of the present invention is to provide detection method and the device of a kind of abnormal flow, to improve abnormal flow
Accuracy of detection.
For reaching above-mentioned purpose, the embodiment of the invention discloses the detection method of a kind of abnormal flow, advance with training
Data it is marked as normal data and is marked as abnormal data and is trained, obtaining for distinguishing normal discharge data
The first grader with abnormal flow data;Utilize the data being marked as in training data specifically attacking to be trained, obtain
For distinguishing the second grader of various concrete attack;Described method includes:
Obtain the target data that flow to be detected is corresponding;
Utilize described first grader that described target data is classified, obtain the first classification results;
Judge whether described first classification results is abnormal;
If it is, utilize described second grader that described target data is classified, obtain the second classification results;
According to described second classification results, determine the concrete attack that described flow to be detected is corresponding.
It is also preferred that the left described method also includes:
In the case of described first classification results is normal, described flow to be detected is defined as normal discharge.
It is also preferred that the left described concrete attack is: Denial of Service attack or supervision and other detected events are attacked or from far
The unauthorized access of journey machine is attacked or the unauthorized access of local supervisor privilege is attacked by domestic consumer.
Obtain described in it is also preferred that the left being used for the first grader distinguishing normal discharge data and abnormal flow data
Data mining algorithm is K-means clustering algorithm or Decision Tree Algorithm or random forest sorting algorithm.
Obtaining the data mining algorithm for the second grader distinguishing various concrete attack is used described in it is also preferred that the left is
Random forest sorting algorithm or Decision Tree Algorithm.
For reaching above-mentioned purpose, the embodiment of the invention also discloses the detection device of a kind of abnormal flow, including:
First obtains module, is marked as normal data for advancing with and is marked as abnormal in training data
Data are trained, and obtain the first grader for distinguishing normal discharge data and abnormal flow data;Utilize training data
In the data that are marked as specifically attacking be trained, obtain the second grader for distinguishing various concrete attack;
Second obtains module, for obtaining the target data that flow to be detected is corresponding;
First sort module, is used for utilizing described first grader to classify described target data, obtains first point
Class result;
Judge module, is used for judging whether described first classification results is abnormal;
Second sort module, in the case of described judge module judged result is for being, utilizes described second classification
Described target data is classified by device, obtains the second classification results;
First determines module, for according to described second classification results, determines described corresponding specifically the attacking of flow to be detected
Hit.
It is also preferred that the left described device also includes:
Second determines module, in the case of described judge module judged result is no, by described flow to be detected
It is defined as normal discharge.
It is also preferred that the left described first obtains module, specifically for:
Advance with and training data is marked as normal data and is marked as abnormal data being trained, obtain
For distinguishing the first grader of normal discharge data and abnormal flow data;Utilize and training data is marked as refusal service
Attack or monitor and other detected events attack or super to this locality from unauthorized access attack or the domestic consumer of remote machine
The data that the unauthorized access of level user privileges is attacked are trained, and obtain for distinguishing Denial of Service attack, supervision and other spies
Survey active attack, unauthorized access from remote machine is attacked and the unauthorized access of local supervisor privilege is attacked by domestic consumer
The second grader hit;
Described first determines module, specifically for:
According to described second classification results, determine that concrete attack that described flow to be detected is corresponding is: Denial of Service attack,
Or monitor that the unauthorized access with the attack of other detected events or from remote machine is attacked or domestic consumer is to local super use
The unauthorized access of family privilege is attacked.
It is also preferred that the left described first obtains module, specifically for:
Use K-means clustering algorithm or Decision Tree Algorithm or random forest sorting algorithm in advance, utilize training
Data it is marked as normal data and is marked as abnormal data and is trained, obtaining for distinguishing normal discharge data
The first grader with abnormal flow data;Utilize the data being marked as in training data specifically attacking to be trained, obtain
For distinguishing the second grader of various concrete attack.
It is also preferred that the left described first obtains module, specifically for:
Advance with and training data is marked as normal data and is marked as abnormal data being trained, obtain
For distinguishing the first grader of normal discharge data and abnormal flow data;Use random forest sorting algorithm or decision tree
Sorting algorithm, utilizes the data being marked as in training data specifically attacking to be trained, and obtains various specifically attacking for distinguishing
The second grader hit.
As seen from the above, the embodiment of the present invention provides detection method and the device of a kind of abnormal flow, advances with training
Data it is marked as normal data and is marked as abnormal data and is trained, obtaining for distinguishing normal discharge data
The first grader with abnormal flow data;Utilize the data being marked as in training data specifically attacking to be trained, obtain
For distinguishing the second grader of various concrete attack;Specifically include: obtain the target data that flow to be detected is corresponding;Utilize institute
State the first grader described target data is classified, obtain the first classification results;Whether judge described first classification results
For exception;If it is, utilize described second grader that described target data is classified, obtain the second classification results;According to
Described second classification results, determines the concrete attack that described flow to be detected is corresponding.
Visible, in the embodiment of the present invention, advance with and training data is marked as normal data and is marked as different
Normal data are trained, and obtain the first grader for distinguishing normal discharge data and abnormal flow data;Utilize training
The data being marked as in data specifically attacking are trained, and obtain the second grader for distinguishing various concrete attack, because of
For poor compared to the quantity between normal discharge data and various abnormal flow data, normal discharge data and all of exception stream
Quantity difference between amount data summation is relatively small, and the quantity difference between various abnormal flow data is the most relatively small, so knot
Closing the first grader and time the second grader detects the target data that flow to be detected is corresponding, accuracy of detection is relatively
High.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
The schematic flow sheet of the detection method of a kind of abnormal flow that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet of the detection method of the another kind of abnormal flow that Fig. 2 provides for the embodiment of the present invention;
The structural representation of the detection device of a kind of abnormal flow that Fig. 3 provides for the embodiment of the present invention;
The structural representation of the detection device of the another kind of abnormal flow that Fig. 4 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
Embodiments provide detection method and the device of a kind of abnormal flow, advance with in training data and marked
It is designated as normal data and is marked as abnormal data and is trained, obtaining for distinguishing normal discharge data and abnormal flow
First grader of data;Utilize the data being marked as in training data specifically attacking to be trained, obtain for distinguishing each
Plant concrete the second grader attacked;Concrete:
Obtain the target data that flow to be detected is corresponding;
Utilize described first grader that described target data is classified, obtain the first classification results;
Judge whether described first classification results is abnormal;
If it is, utilize described second grader that described target data is classified, obtain the second classification results;
According to described second classification results, determine the concrete attack that described flow to be detected is corresponding.
Below by specific embodiment, the present invention is described in detail.
It should be noted that before detection, need to advance with in training data and be marked as normal data and marked
It is designated as abnormal data to be trained, obtains the first grader for distinguishing normal discharge data and abnormal flow data;Profit
It is trained by the data being marked as in training data specifically attacking, obtains the second classification for distinguishing various concrete attack
Device.It will be appreciated by persons skilled in the art that and needed first to set up judgment models before detection abnormal flow.The present invention implements
Example needs to set up two judgment models, the respectively first grader and the second grader in advance.First grader is to utilize instruction
Practicing in data and be marked as normal data and be marked as what abnormal data were trained obtaining, the first grader has to be sentenced
Disconnected standard, can distinguish normal discharge data and abnormal flow data.Second grader is to utilize in training data to be marked as
The concrete data attacked are trained obtaining, and the second grader has criterion equally, can distinguish various concrete attack.
In actual applications, above-mentioned concrete attack can be: Denial of Service attack (Denial Of Service, DOS),
Or monitor and other detected events attack (Surveillance And Probing, PROBING) or non-from remote machine
Method access attack (Unauthorized Access From A Remote Machine To A Local Machine, R2L),
Or the unauthorized access of local supervisor privilege is attacked (Unauthorized Access To Local by domestic consumer
Superuser Privileges By A Local Unpivileged User, U2R).
When obtaining the first grader and the second grader, data mining algorithm can be used.Data mining algorithm is root
One group of heuristic and calculating according to data creation data mining model.Data mining can find number automatically from substantial amounts of data
The special relationship information that Direct Recognition obtains is cannoted according to middle.The method utilizing data mining obtains the first grader and second
Grader, it is possible to reduce the impact of artificial and interim factor.Data mining algorithm includes clustering algorithm, sorting algorithm etc..At this
In one preferred embodiment of invention, obtain the data mining algorithm that the first grader used be K-means clustering algorithm or
Decision Tree Algorithm or random forest sorting algorithm.In another preferred embodiment of the present invention, obtain the second grader
The data mining algorithm used is random forest sorting algorithm or Decision Tree Algorithm.Wherein, K-means clustering algorithm,
The particular content of Decision Tree Algorithm and random forest sorting algorithm is known to the skilled person, this
Bright do not repeat at this.Utilize the first grader applying above-mentioned data mining algorithm to obtain and the second grader to number of targets
According to when classifying, there is higher accuracy of detection.
The schematic flow sheet of the detection method of a kind of abnormal flow that Fig. 1 provides for the embodiment of the present invention, may include that
S101: obtain the target data that flow to be detected is corresponding;
It will be appreciated by persons skilled in the art that flow is detected and substantially the data that flow is corresponding are carried out
Detection, it would therefore be desirable to obtain the target data that flow to be detected is corresponding.
S102: utilize described first grader that described target data is classified, obtain the first classification results;
It is understood that described first grader is the first grader being previously obtained, this first grader can be with district
Divide normal discharge data and abnormal flow data.Therefore, after utilizing this first grader that target data is classified, number of targets
According to being marked as normal discharge data or abnormal flow data, say, that the first classification results is normal or abnormal.
S103: judge whether described first classification results is abnormal, if it is, perform S104;
S104: utilize described second grader that described target data is classified, obtain the second classification results;
Understandable, described second grader is the second grader being previously obtained, and this second grader can be with district
Divide various concrete attacks.Therefore, after utilizing this second grader to classify target data, target data will be marked as respectively
Plant concrete attack, say, that the second classification results is: corresponding certain of target data is specifically attacked.
In actual applications, above-mentioned concrete attack can be: Denial of Service attack (Denial Of Service, DOS),
Or monitor and other detected events attack (Surveillance And Probing, PROBING) or non-from remote machine
Method access attack (Unauthorized Access From A Remote Machine To A Local Machine, R2L),
Or the unauthorized access of local supervisor privilege is attacked (Unauthorized Access To Local by domestic consumer
Superuser Privileges By ALocal Unpivileged User, U2R).
S105: according to described second classification results, determine the concrete attack that described flow to be detected is corresponding;
It is understood that the second classification results is: corresponding certain of target data is specifically attacked, and target data with treat
Detection flow is corresponding, therefore, according to the second classification results, it may be determined that the concrete attack type that flow to be detected is corresponding.Example
As: the second classification results is target data correspondence Denial of Service attack, then may determine that flow correspondence Denial of Service attack to be detected
Hit.
As seen from the above, apply embodiment illustrated in fig. 1 of the present invention, advance with and training data is marked as normal number
According to be marked as abnormal data and be trained, obtain first point for distinguishing normal discharge data and abnormal flow data
Class device;Utilize the data being marked as in training data specifically attacking to be trained, obtain for distinguishing various concrete attack
Second grader, since poor compared to the quantity between normal discharge data and various abnormal flow data, normal discharge data
With quantity difference between all of abnormal flow data summation is relatively small, the quantity difference also phase between various abnormal flow data
To less, so combining the first grader and time the second grader detects the target data that flow to be detected is corresponding, inspection
Survey precision is of a relatively high.
In the aforementioned embodiment, S103 there is also the situation that judged result is no.Based on foregoing description, in the one of the present invention
Plant in specific implementation, see Fig. 2, it is provided that the schematic flow sheet of the detection method of another kind of abnormal flow, with aforementioned reality
Execute example to compare, in the present embodiment, it is also possible to including:
S106: described flow to be detected is defined as normal discharge;
Understandable, target data is corresponding with flow to be detected, therefore, when judging that the first classification results is normal
Time, it may be determined that the flow to be detected corresponding to target data is normal discharge.
As seen from the above, apply embodiment illustrated in fig. 2 of the present invention, be possible not only to improve the accuracy of detection of abnormal flow, also
The accuracy of detection of normal discharge can be improved.
In actual applications, what the embodiment of the present invention was concrete can also be:
Obtain the target data that flow to be detected is corresponding;
Utilize described first grader that described target data is classified, obtain the first classification results;
Utilize described second grader that described target data is classified, obtain the second classification results;
Judge whether described first classification results is abnormal;
If it is, according to described second classification results, determine the concrete attack that described flow to be detected is corresponding;
If it does not, described flow to be detected is defined as normal discharge.
In detail below, with K-means clustering algorithm, Decision Tree Algorithm and random forest sorting algorithm these three number
As a example by mining algorithm, the detection method of a kind of abnormal flow that the embodiment of the present invention provides is described in detail.
First, one group of training data and target data corresponding to one group of flow to be detected are preset;Training data is marked respectively
It is designated as normal discharge data or abnormal flow data;Wherein, abnormal flow data are respectively labeled as again specifically attacking data, point
It is not: dos attack data or PROBING attack data or R2L attacks data or U2R attacks data.
Then, the detection method first using a kind of abnormal flow of embodiment of the present invention offer carries out six groups of experiments, such as table 1
Shown in, use the first data mining algorithm in advance, utilize and training data is marked as normal data and is marked as exception
Data be trained, obtain the first grader for distinguishing normal discharge data and abnormal flow data;Use the second number
According to mining algorithm, utilize the data being marked as in training data specifically attacking to be trained, obtain for distinguish various specifically
The second grader attacked;Wherein, the first data mining algorithm be K-means clustering algorithm or Decision Tree Algorithm or with
Machine forest classified algorithm, the second data mining algorithm is Decision Tree Algorithm or random forest sorting algorithm.
Table 1
Numbering | First data mining algorithm | Second data mining algorithm |
1 | K-means clustering algorithm | Random forest sorting algorithm |
2 | K-means clustering algorithm | Decision Tree Algorithm |
3 | Decision Tree Algorithm | Decision Tree Algorithm |
4 | Decision Tree Algorithm | Random forest sorting algorithm |
5 | Random forest sorting algorithm | Decision Tree Algorithm |
6 | Random forest sorting algorithm | Random forest sorting algorithm |
Then, utilize the first grader that target data is classified, obtain the first classification results;
Judge whether the first classification results is abnormal;
If it is, this target data is classified by recycling the second grader, obtain the second classification results;According to second
Classification results, determines the concrete attack that this flow to be detected is corresponding;
If it does not, this flow to be detected is defined as normal discharge.
It follows that the detection method in order to provide with the embodiment of the present invention compares, use the inspection of current abnormal flow
Survey method has been three groups of contrast experiments, as shown in table 2, uses the 3rd data mining algorithm in advance, to labeled in training data
It is trained for normal data and the data being marked as specifically attacking, obtains for distinguishing normal discharge data and various tool
Body attacks a grader of data, utilizes the grader obtained to classify target data, and classification results is exception stream
The testing result of amount;Wherein, the 3rd data mining algorithm is K-means clustering algorithm or Decision Tree Algorithm or the most gloomy
Woods sorting algorithm.
Table 2
Numbering | 3rd data mining algorithm |
1 | K-means clustering algorithm |
2 | Decision Tree Algorithm |
3 | Random forest sorting algorithm |
Finally, the practical situation of target data corresponding with flow to be detected for above-mentioned 9 groups of testing results is compared,
To accuracy of detection, such as, in testing result, dos attack data have 4, and practical situation is dos attack data 5, then examine
Surveying precision is 0.8;Wherein, the testing result that the detection method that 1 to 6 group provides for using the embodiment of the present invention obtains, 7 to 9 groups
For the testing result using current detection method to obtain.The concrete outcome of accuracy of detection is as shown in table 3;Wherein, the number in table 3
It is worth the highest, shows that accuracy of detection is the highest.
Table 3
Numbering | Normally | DOS | PROBING | U2R | R2L |
1 | 0.945 | 0.983 | 0.939 | 0.561 | 0.679 |
2 | 0.946 | 0.979 | 0.910 | 0.522 | 0.772 |
3 | 0.951 | 0.984 | 0.829 | 0.511 | 0.512 |
4 | 0.951 | 0.986 | 0.831 | 0.550 | 0.517 |
5 | 0.954 | 0.980 | 0.861 | 0.547 | 0.521 |
6 | 0.952 | 0.985 | 0.872 | 0.520 | 0.528 |
7 | 0.938 | 0.968 | 0.785 | 0.500 | 0.510 |
8 | 0.927 | 0.950 | 0.793 | 0.500 | 0.500 |
9 | 0.929 | 0.955 | 0.776 | 0.503 | 0.507 |
By table 3 it is found that the detection method of a kind of abnormal flow of present invention offer is compared with current detection method,
Accuracy of detection is of a relatively high.
Corresponding with above-mentioned embodiment of the method, the embodiment of the present invention additionally provides the detection device of a kind of abnormal flow.
The structural representation of the detection device of a kind of abnormal flow that Fig. 3 provides for the embodiment of the present invention;May include that
One obtain module 300, second obtain module the 301, first sort module 302, judge module the 303, second sort module 304, the
One determines module 305.
Wherein, first obtains module 300, is used for advancing with in training data and is marked as normal data and labeled
It is trained for abnormal data, obtains the first grader for distinguishing normal discharge data and abnormal flow data;Utilize
The data being marked as in training data specifically attacking are trained, and obtain the second classification for distinguishing various concrete attack
Device;
Second obtains module 301, for obtaining the target data that flow to be detected is corresponding;
First sort module 302, is used for utilizing described first grader to classify described target data, obtains first
Classification results;
Judge module 303, is used for judging whether described first classification results is abnormal;
Second sort module 304, in the case of described judge module judged result is for being, utilizes described second point
Described target data is classified by class device, obtains the second classification results;
First determines module 305, for according to described second classification results, determines corresponding concrete of described flow to be detected
Attack.
The first acquisition module 300 in the embodiment of the present invention, specifically may be used for:
Advance with and training data is marked as normal data and is marked as abnormal data being trained, obtain
For distinguishing the first grader of normal discharge data and abnormal flow data;Utilize and training data is marked as refusal service
Attack or monitor and other detected events attack or super to this locality from unauthorized access attack or the domestic consumer of remote machine
The data that the unauthorized access of level user privileges is attacked are trained, and obtain for distinguishing Denial of Service attack, supervision and other spies
Survey active attack, unauthorized access from remote machine is attacked and the unauthorized access of local supervisor privilege is attacked by domestic consumer
The second grader hit;
In the embodiment of the present invention first determines module 305, specifically may be used for:
According to described second classification results, determine that concrete attack that described flow to be detected is corresponding is: Denial of Service attack,
Or monitor that the unauthorized access with the attack of other detected events or from remote machine is attacked or domestic consumer is to local super use
The unauthorized access of family privilege is attacked.
The first acquisition module 300 in the embodiment of the present invention, specifically may be used for:
Use K-means clustering algorithm or Decision Tree Algorithm or random forest sorting algorithm in advance, utilize training
Data it is marked as normal data and is marked as abnormal data and is trained, obtaining for distinguishing normal discharge data
The first grader with abnormal flow data;Utilize the data being marked as in training data specifically attacking to be trained, obtain
For distinguishing the second grader of various concrete attack.
The first acquisition module 300 in the embodiment of the present invention, specifically may be used for:
Advance with and training data is marked as normal data and is marked as abnormal data being trained, obtain
For distinguishing the first grader of normal discharge data and abnormal flow data;Use random forest sorting algorithm or decision tree
Sorting algorithm, utilizes the data being marked as in training data specifically attacking to be trained, and obtains various specifically attacking for distinguishing
The second grader hit.
As seen from the above, apply embodiment illustrated in fig. 3 of the present invention, advance with and training data is marked as normal number
According to be marked as abnormal data and be trained, obtain first point for distinguishing normal discharge data and abnormal flow data
Class device;Utilize the data being marked as in training data specifically attacking to be trained, obtain for distinguishing various concrete attack
Second grader, since poor compared to the quantity between normal discharge data and various abnormal flow data, normal discharge data
With quantity difference between all of abnormal flow data summation is relatively small, the quantity difference also phase between various abnormal flow data
To less, so combining the first grader and time the second grader detects the target data that flow to be detected is corresponding, inspection
Survey precision is of a relatively high.
The structural representation of the detection device of the another kind of abnormal flow that Fig. 4 provides for the embodiment of the present invention;Fig. 4 of the present invention
Illustrated embodiment, on the basis of embodiment illustrated in fig. 3, increases by second and determines module 306.
Wherein, second determines module 306, in the case of described judge module judged result is no, treats described
Detection flow is defined as normal discharge.
As seen from the above, apply embodiment illustrated in fig. 4 of the present invention, be possible not only to improve the accuracy of detection of abnormal flow, also
The accuracy of detection of normal discharge can be improved.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Including process, method, article or the equipment of described key element there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, identical similar portion between each embodiment
Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.Real especially for device
For executing example, owing to it is substantially similar to embodiment of the method, so describe is fairly simple, relevant part sees embodiment of the method
Part illustrate.
One of ordinary skill in the art will appreciate that all or part of step realizing in said method embodiment is can
Completing instructing relevant hardware by program, described program can be stored in computer read/write memory medium,
The storage medium obtained designated herein, such as: ROM/RAM, magnetic disc, CD etc..
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All
Any modification, equivalent substitution and improvement etc. made within the spirit and principles in the present invention, are all contained in protection scope of the present invention
In.
Claims (10)
1. the detection method of an abnormal flow, it is characterised in that advance with and be marked as normal data in training data
It is trained with being marked as abnormal data, obtains the first classification for distinguishing normal discharge data and abnormal flow data
Device;Utilize the data being marked as in training data specifically attacking to be trained, obtain for distinguish various concrete attack
Two graders;Described method includes:
Obtain the target data that flow to be detected is corresponding;
Utilize described first grader that described target data is classified, obtain the first classification results;
Judge whether described first classification results is abnormal;
If it is, utilize described second grader that described target data is classified, obtain the second classification results;
According to described second classification results, determine the concrete attack that described flow to be detected is corresponding.
Method the most according to claim 1, it is characterised in that described method also includes:
In the case of described first classification results is normal, described flow to be detected is defined as normal discharge.
Method the most according to claim 1, it is characterised in that described concrete attack is: Denial of Service attack or monitor and
The attack of other detected events or the unauthorized access from remote machine are attacked or domestic consumer is to local supervisor privilege
Unauthorized access is attacked.
Method the most according to claim 1, it is characterised in that described in obtain for distinguishing normal discharge data and exception stream
The data mining algorithm that used of first grader of amount data be K-means clustering algorithm or Decision Tree Algorithm or with
Machine forest classified algorithm.
Method the most according to claim 1, it is characterised in that described in obtain second point for distinguishing various concrete attack
The data mining algorithm that class device is used is random forest sorting algorithm or Decision Tree Algorithm.
6. the detection device of an abnormal flow, it is characterised in that described device includes:
First obtains module, is marked as normal data for advancing with and is marked as abnormal data in training data
It is trained, obtains the first grader for distinguishing normal discharge data and abnormal flow data;Utilize quilt in training data
The data being labeled as specifically attacking are trained, and obtain the second grader for distinguishing various concrete attack;
Second obtains module, for obtaining the target data that flow to be detected is corresponding;
First sort module, is used for utilizing described first grader to classify described target data, obtains the first classification knot
Really;
Judge module, is used for judging whether described first classification results is abnormal;
Second sort module, in the case of described judge module judged result is for being, utilizes described second grader pair
Described target data is classified, and obtains the second classification results;
First determines module, for according to described second classification results, determining the concrete attack that described flow to be detected is corresponding.
Device the most according to claim 6, it is characterised in that described device also includes:
Second determines module, in the case of described judge module judged result is no, is determined by described flow to be detected
For normal discharge.
Device the most according to claim 6, it is characterised in that described first obtains module, specifically for:
Advance with and training data be marked as normal data and be marked as abnormal data and be trained, obtain for
Distinguish normal discharge data and the first grader of abnormal flow data;Utilize and training data is marked as Denial of Service attack
Hit or monitor and other detected events attack or super to this locality from unauthorized access attack or the domestic consumer of remote machine
The data that the unauthorized access of user privileges is attacked are trained, and obtain for distinguishing Denial of Service attack, supervision and other detections
Active attack, unauthorized access from remote machine attack and the unauthorized access of local supervisor privilege is attacked by domestic consumer
The second grader;
Described first determines module, specifically for:
According to described second classification results, determine that concrete attack that described flow to be detected is corresponding is: Denial of Service attack or prison
Depending on attacking with other detected events or special to local power user from unauthorized access attack or the domestic consumer of remote machine
The unauthorized access of power is attacked.
Device the most according to claim 6, it is characterised in that described first obtains module, specifically for:
Use K-means clustering algorithm or Decision Tree Algorithm or random forest sorting algorithm in advance, utilize training data
In be marked as normal data and be marked as abnormal data and be trained, obtain for distinguishing normal discharge data and different
First grader of normal flow data;Utilize the data being marked as in training data specifically attacking to be trained, obtain for
Distinguish the second grader of various concrete attack.
Device the most according to claim 6, it is characterised in that described first obtains module, specifically for:
Advance with and training data be marked as normal data and be marked as abnormal data and be trained, obtain for
Distinguish normal discharge data and the first grader of abnormal flow data;Use random forest sorting algorithm or decision tree classification
Algorithm, utilizes the data being marked as in training data specifically attacking to be trained, and obtains for distinguishing various concrete attack
Second grader.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610373443.4A CN106060043B (en) | 2016-05-31 | 2016-05-31 | A kind of detection method and device of abnormal flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610373443.4A CN106060043B (en) | 2016-05-31 | 2016-05-31 | A kind of detection method and device of abnormal flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106060043A true CN106060043A (en) | 2016-10-26 |
CN106060043B CN106060043B (en) | 2019-06-07 |
Family
ID=57171555
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610373443.4A Active CN106060043B (en) | 2016-05-31 | 2016-05-31 | A kind of detection method and device of abnormal flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106060043B (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
CN106789359A (en) * | 2017-02-15 | 2017-05-31 | 广东工业大学 | A kind of net flow assorted method and device based on grey wolf algorithm |
CN107404398A (en) * | 2017-05-31 | 2017-11-28 | 中山大学 | A kind of networks congestion control judgement system |
CN108011740A (en) * | 2016-10-28 | 2018-05-08 | 腾讯科技(深圳)有限公司 | A kind of media flow data processing method and device |
CN108197282A (en) * | 2018-01-10 | 2018-06-22 | 腾讯科技(深圳)有限公司 | Sorting technique, device and the terminal of file data, server, storage medium |
CN108256573A (en) * | 2018-01-16 | 2018-07-06 | 成都寻道科技有限公司 | A kind of Web Service user terminals falseness application recognition methods |
CN108768946A (en) * | 2018-04-27 | 2018-11-06 | 中山大学 | A kind of Internet Intrusion Detection Model based on random forests algorithm |
CN108900486A (en) * | 2018-06-19 | 2018-11-27 | 杭州默安科技有限公司 | A kind of scanner fingerprint identification method and its system |
CN109088903A (en) * | 2018-11-07 | 2018-12-25 | 湖南大学 | A kind of exception flow of network detection method based on streaming |
CN109167753A (en) * | 2018-07-23 | 2019-01-08 | 中国科学院计算机网络信息中心 | A kind of detection method and device of network intrusions flow |
CN109379228A (en) * | 2018-11-02 | 2019-02-22 | 平安科技(深圳)有限公司 | Accidentally warning information recognition methods and device, storage medium, electric terminal |
CN109495428A (en) * | 2017-09-12 | 2019-03-19 | 蓝盾信息安全技术股份有限公司 | A kind of Portscan Detection Method based on traffic characteristic and random forest |
CN109600345A (en) * | 2017-09-30 | 2019-04-09 | 北京国双科技有限公司 | Abnormal data flow rate testing methods and device |
CN109818976A (en) * | 2019-03-15 | 2019-05-28 | 杭州迪普科技股份有限公司 | A kind of anomalous traffic detection method and device |
CN110769007A (en) * | 2019-12-26 | 2020-02-07 | 国网电子商务有限公司 | Network security situation sensing method and device based on abnormal traffic detection |
CN110944016A (en) * | 2019-12-25 | 2020-03-31 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
CN112073360A (en) * | 2019-11-22 | 2020-12-11 | 深圳大学 | Detection method, device, terminal equipment and medium for hypertext transmission data |
CN112398779A (en) * | 2019-08-12 | 2021-02-23 | 中国科学院国家空间科学中心 | Network traffic data analysis method and system |
CN112801233A (en) * | 2021-04-07 | 2021-05-14 | 杭州海康威视数字技术股份有限公司 | Internet of things equipment honeypot system attack classification method, device and equipment |
CN114070899A (en) * | 2020-07-27 | 2022-02-18 | 深信服科技股份有限公司 | Message detection method, device and readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102904890A (en) * | 2012-10-12 | 2013-01-30 | 哈尔滨工业大学深圳研究生院 | State detection method for cloud data packet header |
CN103020288A (en) * | 2012-12-28 | 2013-04-03 | 大连理工大学 | Method for classifying data streams under dynamic data environment |
CN104794192A (en) * | 2015-04-17 | 2015-07-22 | 南京大学 | Multi-level anomaly detection method based on exponential smoothing and integrated learning model |
CN104883363A (en) * | 2015-05-11 | 2015-09-02 | 北京交通大学 | Method and device for analyzing abnormal access behaviors |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
-
2016
- 2016-05-31 CN CN201610373443.4A patent/CN106060043B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102904890A (en) * | 2012-10-12 | 2013-01-30 | 哈尔滨工业大学深圳研究生院 | State detection method for cloud data packet header |
CN103020288A (en) * | 2012-12-28 | 2013-04-03 | 大连理工大学 | Method for classifying data streams under dynamic data environment |
CN104794192A (en) * | 2015-04-17 | 2015-07-22 | 南京大学 | Multi-level anomaly detection method based on exponential smoothing and integrated learning model |
CN104883363A (en) * | 2015-05-11 | 2015-09-02 | 北京交通大学 | Method and device for analyzing abnormal access behaviors |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
Non-Patent Citations (1)
Title |
---|
夏竹青: "《基于不均衡数据集和决策树的入侵检测分类算法的研究》", 《中国优秀硕士论文全文数据库信息科技辑》 * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108011740B (en) * | 2016-10-28 | 2021-04-30 | 腾讯科技(深圳)有限公司 | Media flow data processing method and device |
CN108011740A (en) * | 2016-10-28 | 2018-05-08 | 腾讯科技(深圳)有限公司 | A kind of media flow data processing method and device |
CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
CN106789359A (en) * | 2017-02-15 | 2017-05-31 | 广东工业大学 | A kind of net flow assorted method and device based on grey wolf algorithm |
CN106789359B (en) * | 2017-02-15 | 2019-12-13 | 广东工业大学 | Network traffic classification method and device based on wolf algorithm |
CN107404398A (en) * | 2017-05-31 | 2017-11-28 | 中山大学 | A kind of networks congestion control judgement system |
CN109495428A (en) * | 2017-09-12 | 2019-03-19 | 蓝盾信息安全技术股份有限公司 | A kind of Portscan Detection Method based on traffic characteristic and random forest |
CN109600345A (en) * | 2017-09-30 | 2019-04-09 | 北京国双科技有限公司 | Abnormal data flow rate testing methods and device |
CN108197282A (en) * | 2018-01-10 | 2018-06-22 | 腾讯科技(深圳)有限公司 | Sorting technique, device and the terminal of file data, server, storage medium |
CN108256573A (en) * | 2018-01-16 | 2018-07-06 | 成都寻道科技有限公司 | A kind of Web Service user terminals falseness application recognition methods |
CN108256573B (en) * | 2018-01-16 | 2021-06-25 | 成都寻道科技有限公司 | Web Service client false application identification method |
CN108768946A (en) * | 2018-04-27 | 2018-11-06 | 中山大学 | A kind of Internet Intrusion Detection Model based on random forests algorithm |
CN108768946B (en) * | 2018-04-27 | 2020-12-22 | 中山大学 | Network intrusion detection method based on random forest algorithm |
CN108900486A (en) * | 2018-06-19 | 2018-11-27 | 杭州默安科技有限公司 | A kind of scanner fingerprint identification method and its system |
CN108900486B (en) * | 2018-06-19 | 2020-11-27 | 杭州默安科技有限公司 | Scanner fingerprint identification method and system thereof |
CN109167753A (en) * | 2018-07-23 | 2019-01-08 | 中国科学院计算机网络信息中心 | A kind of detection method and device of network intrusions flow |
CN109379228A (en) * | 2018-11-02 | 2019-02-22 | 平安科技(深圳)有限公司 | Accidentally warning information recognition methods and device, storage medium, electric terminal |
CN109088903A (en) * | 2018-11-07 | 2018-12-25 | 湖南大学 | A kind of exception flow of network detection method based on streaming |
CN109818976B (en) * | 2019-03-15 | 2021-09-21 | 杭州迪普科技股份有限公司 | Abnormal flow detection method and device |
CN109818976A (en) * | 2019-03-15 | 2019-05-28 | 杭州迪普科技股份有限公司 | A kind of anomalous traffic detection method and device |
CN112398779A (en) * | 2019-08-12 | 2021-02-23 | 中国科学院国家空间科学中心 | Network traffic data analysis method and system |
CN112398779B (en) * | 2019-08-12 | 2022-11-01 | 中国科学院国家空间科学中心 | Network traffic data analysis method and system |
CN112073360A (en) * | 2019-11-22 | 2020-12-11 | 深圳大学 | Detection method, device, terminal equipment and medium for hypertext transmission data |
CN110944016A (en) * | 2019-12-25 | 2020-03-31 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
CN110944016B (en) * | 2019-12-25 | 2022-06-14 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
CN110769007A (en) * | 2019-12-26 | 2020-02-07 | 国网电子商务有限公司 | Network security situation sensing method and device based on abnormal traffic detection |
CN110769007B (en) * | 2019-12-26 | 2020-11-24 | 国网电子商务有限公司 | Network security situation sensing method and device based on abnormal traffic detection |
CN114070899A (en) * | 2020-07-27 | 2022-02-18 | 深信服科技股份有限公司 | Message detection method, device and readable storage medium |
CN114070899B (en) * | 2020-07-27 | 2023-05-12 | 深信服科技股份有限公司 | Message detection method, device and readable storage medium |
CN112801233A (en) * | 2021-04-07 | 2021-05-14 | 杭州海康威视数字技术股份有限公司 | Internet of things equipment honeypot system attack classification method, device and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106060043B (en) | 2019-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106060043A (en) | Abnormal flow detection method and device | |
Park et al. | Classification of attack types for intrusion detection systems using a machine learning algorithm | |
Ektefa et al. | Intrusion detection using data mining techniques | |
Guan et al. | Y-means: A clustering method for intrusion detection | |
CN101950338A (en) | Bug repair method based on hierarchical bug threat assessment | |
CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
CN107256357B (en) | Detection and analysis method for android malicious application based on deep learning | |
CN104809069A (en) | Source node loophole detection method based on integrated neural network | |
CN109344617A (en) | A kind of Internet of Things assets security portrait method and system | |
CN106817248A (en) | A kind of APT attack detection methods | |
Suthaharan et al. | Relevance feature selection with data cleaning for intrusion detection system | |
CN107181726A (en) | Cyberthreat case evaluating method and device | |
CN106599688A (en) | Application category-based Android malicious software detection method | |
Nadiammai et al. | A comprehensive analysis and study in intrusion detection system using data mining techniques | |
CN110138758A (en) | Mistake based on domain name vocabulary plants domain name detection method | |
CN110162975A (en) | A kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm | |
CN110011976A (en) | A kind of network attack damage capability quantitative estimation method and system | |
CN105045715A (en) | Programming mode and mode matching based bug clustering method | |
CN109919438A (en) | Insurance risk appraisal procedure and system before network security insurance is protected | |
CN108243169A (en) | A kind of network security finds out method and system | |
CN1460932A (en) | Hierarchial invasion detection system based on related characteristic cluster | |
CN109918901A (en) | The method that real-time detection is attacked based on Cache | |
Lee et al. | Study on Personal Information Leak Detection Based on Machine Learning | |
CN107145901A (en) | A kind of method for quickly querying towards rare class data in big data | |
CN106790102A (en) | A kind of QR based on URL features yards of phishing recognition methods and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |